Oracle addresses 237 vulnerabilities across multiple products

The January 2018 Oracle Critical Patch Update (CPU) fixes 237 new security vulnerabilities across hundreds of Oracle products, including the company’s widely used Oracle Database Server and Java SE.

The CPU includes:

Fixes for the Java Virtual Machine and four other vulnerable components within the Oracle Database Server, the most severe of which carries a CVSS Base Score of 9.1 out of 10; three of the flaws may be exploited remotely without credentials.

New security fixes for 21 vulnerabilities in multiple versions of Java SE, 18 of which are remotely exploitable without authentication. The most severe of the vulnerabilities in Java SE has a CVSS Base Score of 8.3. The CPU includes fixes for flaws in Java SE versions 6 though 9.

Two deserialization vulnerabilities identified in the Java platform by Waratek are patched in the January 2018 CPU.

The number of vulnerabilities patched in the Java platform have doubled since January 2016.

“The velocity and volume of Java software flaws continues to trend in the wrong direction,” said John Matthew Holt, CTO of Waratek. “One research report shows that 86% of the most severe patches require 30 days or more to apply, while another concludes that the average time to apply a patch is 90 days or longer. In either event, that is an unacceptably long period of time given that attacks often commence within hours of the announcement of a new vulnerability.”

“The January 2018 CPU is released into an environment where virtually every enterprise is working to deploy the patches released for the Spectre and Meltdown chip vulnerabilities on top of the routine patches that must be routinely applied,” added Holt.

Analysis

While there is some good news in the January CPU – the number of overall bugs patched in the Update is down from the high of July 2017 – the number of Java flaws being found and fixed is flat quarter-over-quarter and has risen 2X since January 2016. Equally troubling is the number of Java SE flaws that can be remotely exploited without credentials remains in the double digits after years of single digit risk.

Java deserialization vulnerabilities also continue to be a key component of the January 2018 CPU. Waratek researched the JRE codebase and has identified two new unbounded memory allocation vulnerabilities in two JRE subcomponents that may be remotely exploitable without authentication.

Recommended actions

Apply the appropriate binary CPU as quickly as possible as more than 85% of the CVEs impacting Java users addressed in the January 2018 CPU can be remotely exploited without credentials.